[Freeipa-users] fail joining an ubuntu 12.04 to a freeipa server with ipa-client-install
Rob Crittenden
rcritten at redhat.com
Mon May 14 17:04:03 UTC 2012
pasqual milvaques wrote:
> the people frrm ubuntu pointed me to this bug.
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=663127
>
> enabling ssl3 in the server with this orders served as a workaround:
>
> ldapmodify -D "cn=directory manager" -W -p 389 -h localhost -x
>
> dn: cn=encryption,cn=config
> changetype: modify
> replace: nsSSL3
> nsSSL3: on
>
> exit
>
> but the client doesn't join completly the domain because in the system
> there is no system wide nss database:
>
> New SSSD config will be created.
> root : INFO New SSSD config will be created
> Configured /etc/sssd/sssd.conf
> root : DEBUG args=/usr/bin/certutil -A -d /etc/pki/nssdb -n IPA CA -t
> CT,C,C -a -i /etc/ipa/ca.crt
> root : DEBUG stdout=
> root : DEBUG stderr=certutil: function failed: security library: bad
> database.
>
> Traceback (most recent call last):
> File "/usr/sbin/ipa-client-install", line 1292, in <module>
> sys.exit(main())
> File "/usr/sbin/ipa-client-install", line 1279, in main
> rval = install(options, env, fstore, statestore)
> File "/usr/sbin/ipa-client-install", line 1124, in install
> run(["/usr/bin/certutil", "-A", "-d", "/etc/pki/nssdb", "-n", "IPA CA",
> "-t", "CT,C,C", "-a", "-i", "/etc/ipa/ca.crt"])
> File "/usr/lib/python2.7/dist-packages/ipapython/ipautil.py", line 273,
> in run
> raise CalledProcessError(p.returncode, args)
> subprocess.CalledProcessError: Command '/usr/bin/certutil -A -d
> /etc/pki/nssdb -n IPA CA -t CT,C,C -a -i /etc/ipa/ca.crt' returned
> non-zero exit status 255
> pasqual at ubuntuprovesfreeipa:~$
>
> It can create it with this commands:
> mkdir -p /etc/pki/nssdb
> certutil -N -d /etc/pki/nssdb
>
> but asks for a password. there are some obscure references about using a
> password file called pwdfile.txt that resides in the server but I'm not
> sure with what to do now. perhaps the password must be blank. any idea?
It isn't mandatory to set a password, there isn't one by default in
Fedora installations. If you do set a password and place it in a file
you can pass the file location with -f. Arguably a password in a file is
about as secure as a password-less database: for both you are relying on
FS permissions (and perhaps SELinux if configured).
rob
More information about the Freeipa-users
mailing list